By Kato Murray
When it comes to lax internet security, people often envision the victim as a frail elderly person getting duped into giving their personal information to that nice Nigerian Prince who emailed them. In reality, according to Proofpoint’s State of the Phish Report, 74 percent of organizations in the United States experienced a successful phishing attack in 2020, a 14 percent increase from the previous year.
We’ve probably all seen different types of phishing emails hit our inboxes, ranging from urgent emails from members of your organization making abnormal requests for gift cards, or emails from shady addresses like firstname.lastname@example.org, email@example.com, or heIp@paypal.com asking you to verify your login information at the risk of account suspension, to emails with attachments claiming to be from your business fax or phone system. In a perfect world, having the most rigid spam settings would keep these emails from being delivered or every phishing email would be comically obvious, but the statistics suggest otherwise. Until we find ourselves in a perfect world, there are several things that you can do to help protect your organization and your data.
Practice Good Password Habits: Even in the cybersecurity community, there are some polarizing views on how often passwords should be updated. Your approach on this topic should vary based on some of the other security measures you have in place. Are you using a password manager? Do you have two-factor authentication enabled? Are you using a strong password that hasn’t been a part of a recent data breach? If you said yes, then you can probably get away with changing your password only when the need arises. Are you someone who writes down your password and finds the additional security tedious and redundant? You might want to consider changing your password quarterly.
“The email might say it’s coming from your good friend Bob, but when you hover over their name, it may reveal it’s coming from firstname.lastname@example.org.”For resources shared within your organization (e.g., logins to company tools, shared mailboxes, etc.), I recommend changing the password anytime someone with access to this information separates from your organization.
Use Two-Factor Authentication: When people ask me whether they should use two-factor authentication, I like to joke that the question is a flow chart with only one arrow and one answer: Yes. Two-factor authentication gives you an added layer of protection so that account access isn’t immediately granted upon typing the correct username and password; typically, a code is sent to your phone or email for you to enter. Users sometimes complain that it adds time to their login process, but I can tell you that waiting for a one-time password or other authentication code via text, email, or third-party app is a lot less tedious than the alternative—the time and energy spent dealing with a hacked account. Every website has a different process, so search Google to find out the proper setup for each respective website.
The Importance of Authenticator Apps: To piggyback on the above point, using an authenticator app such as Authy, Google Authenticator, or Microsoft Authenticator to generate your two-factor login is more secure than text message. Using text message two-factor is still better than not having it enabled at all, but with an authenticator app, it’s more difficult for someone to gain physical access to your phone and generate a code without you knowing about it.
If It Looks Like a Duck and Quacks Like a Duck: If that email link looks suspicious, it is probably suspicious. If you’re unsure about whether you should open that attachment, you probably shouldn’t. Even if the email looks like it’s coming from somewhere familiar (ex. Microsoft Office, PayPal, Amazon, etc.), visit the website directly—and not through a link in the email—to see if there are any issues with your account. Did you get a strange email from your colleague? Hover the cursor over the sender’s name to see if it’s really coming from their email account. (For instance, the email might say it’s coming from your good friend Bob, but when you hover over their name, it may reveal it’s coming from PhishGuy@foreignbot.com.)
Who You Gonna Call?: Make sure that your employees know who to contact if they have concerns about their email, whether it’s because they need their password updated or because they aren’t sure what the procedure is when they get a suspicious email. If you don’t currently have a procedure in place for how best to handle your tech concerns, this might be the perfect time to sit down and discuss what practices you need to put into place.
This list is by no means exhaustive, and there are a number of other processes and programs that you can implement to boost your organization’s safety, whether that means performing regular simulated phishing attacks or frequently engaging in cybersecurity education with your team. The most important thing is that you take steps to make your organization’s security a priority that is regularly revisited and improved as new information becomes available.
Kato Murray is the operations associate for the LMC Groups. He can be reached at email@example.com.